Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

extract AWS account number from ID without verification #2091

Merged
merged 6 commits into from
Nov 16, 2023
Merged

extract AWS account number from ID without verification #2091

merged 6 commits into from
Nov 16, 2023

Conversation

joeleonjr
Copy link
Contributor

Description:

Research by Tal Be'ery documented how to extract AWS account numbers from AWS IDs (ex: AKIASP2TPHJSQH3FJRUX -> 171436882533) without having to interact with the AWS API.

I ported his python function to golang, added error handling, updated logic in the aws.go file and updated the aws integration tests.

Note: if AWS secret verification is successful, the calculated AWS account number gets overwritten by the API's account number response. These values should always be the same.

Also, commented out is a suggestion that we log situations where the calculated account number does not match the API-verified account number. This should rarely (if ever) occur; however, if we can monitor this, that would be helpful to verify accuracy at scale.

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@joeleonjr joeleonjr requested a review from a team as a code owner November 3, 2023 16:18
@joeleonjr joeleonjr changed the title extract AWS account from ID without verification extract AWS account number from ID without verification Nov 3, 2023
ahrav
ahrav approved these changes Nov 4, 2023
View reviewed changes
pkg/detectors/aws/aws.go Outdated Show resolved Hide resolved
pkg/detectors/aws/aws.go Outdated Show resolved Hide resolved
pkg/detectors/aws/aws.go Outdated Show resolved Hide resolved
pkg/detectors/aws/aws.go Outdated Show resolved Hide resolved
pkg/detectors/aws/aws.go Outdated Show resolved Hide resolved
pkg/detectors/aws/aws.go Show resolved Hide resolved
ahrav
ahrav reviewed Nov 4, 2023
View reviewed changes
pkg/detectors/aws/aws.go Outdated Show resolved Hide resolved
rosecodym
rosecodym reviewed Nov 7, 2023
View reviewed changes
Copy link
Collaborator

@rosecodym rosecodym left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this also work for short-lived AWS credentials (the kind that use session keys)? We recently added a separate detector for those.

@joeleonjr
Copy link
Contributor Author

Does this also work for short-lived AWS credentials (the kind that use session keys)? We recently added a separate detector for those.

It should. I'm going to move this function into the common lib, so that we can re-use it across that separate detector.

@joeleonjr joeleonjr requested a review from a team as a code owner November 15, 2023 21:40
@joeleonjr
Copy link
Contributor Author

@ahrav do you mind doing another quick review now that the code has been refactored and moved to utils?

@joeleonjr joeleonjr merged commit b2042e4 into main Nov 16, 2023
9 checks passed
@joeleonjr joeleonjr deleted the map-aws-id-to-account-id branch November 16, 2023 16:45
@ahrav
Copy link
Collaborator

ahrav commented Nov 16, 2023

@ahrav do you mind doing another quick review now that the code has been refactored and moved to utils?

forgot to reply yesterday, but LGTM! Nice work.

@aidansteele aidansteele mentioned this pull request Jan 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ahrav ahrav ahrav approved these changes

@rosecodym rosecodym rosecodym approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@joeleonjr @ahrav @rosecodym